The Impact of Sarbanes-Oxley on IT Presented by Jerald Savin, FIMC, CMC, CPA, CITP Cambridge...
-
date post
21-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of The Impact of Sarbanes-Oxley on IT Presented by Jerald Savin, FIMC, CMC, CPA, CITP Cambridge...
The Impact of Sarbanes-Oxley on IT
Presented byJerald Savin, FIMC, CMC, CPA, CITP
Cambridge Technology Consulting Group, Inc. 201 Wilshire Blvd., Ste 41, Santa Monica, CA 90401 Tel: (310) 229-8947 - Email: [email protected]
For the July CIO Breakfast
Jerald (Jerry) M. Savin
President/CEO, Cambridge Technology Consulting Group, Inc.
Certified Public Accountant (CPA) Fellow Institute of Management Consultants
(FIMC) Certified Management Consultant (CMC) Certified Information Technology Professional
(CITP) Former Chairman, Institute of Management
Consultants USA
co-author
Richard Savich, Ph. D., C.P.A. President, ABKO Consulting (A Business
Knowledge Organization) Director, Professional Development Institute,
The Collins School of Hospitality Management, Cal Poly Pomona
Formerly, National Director, Management Consulting Training, Coopers & Lybrand and Ernst & Young
Formerly, Professor, USC School of Accounting
Outline
The Sarbanes-Oxley Act Section 404 - Internal Controls Trends and Developments Questions & Answers
The Sarbanes-Oxley Act
101 Board Membership 103 Board Duties 108 Accounting Standards 201 Prohibited Activities 203 Audit Partner Rotation 301 Audit Committees 302 Corporate Responsibility For Financial Reports 402 Loans to Executives 404 Mgmt Assessment of Internal Controls 407 Disclosure of Audit Committee Financial Expert 806 Whistle Blower Protection
PCAOB (www.pcaobus.org)
PCAOB - Auditing Standards
Amend, modify, repeal and reject standards suggested by designated professional groups of accountants and by standard-setting advisory groups
Report on its standard-setting activities to the SEC annually
Section 404 Internal Control Standard PCAOB must adopt an audit standard to
implement an internal control review The standard must require the auditor to
evaluate whether the internal control structure and procedures Include records that accurately and fairly
reflect the transactions of the issuer Provide reasonable assurance that the
transactions are recorded in a manner that will permit the preparation of financial statements in accordance with GAAP, and
Provide a description of any material weaknesses in the internal controls
Section 404Management Assessment of Internal Controls 404(a)
Management’s responsibility for establishing and maintaining adequate internal control for financial reporting.
404(b) Independent auditor’s responsibility
for attesting to and reporting on management’s assessment of internal control.
Section 404(a)
Management’s Responsibilities: Implement effective internal structure
and procedures for ICOFR Evaluate effectiveness of ICOFR using
suitable internal control framework Support that evaluation with sufficient
evidence Present a written assessment of the
effectiveness at year end
Section 404(b)
Auditor’s Responsibilities: Evaluate management’s assessment Obtain an understanding of the
company’s ICOFR Test and Evaluate the design and
operational effectiveness of ICOFR Form an opinion regarding the
adequacy and effectiveness of ICOFR
Section 302 Corporate Responsibility For Financial Reports (1 of 3)
CEO/CFO certifications
Financial statements and disclosures comply with the requirements of the Exchange Act
Disclosures fairly present, in all material respects, the results of operations and financial condition of the issuer
Section 302 Corporate Responsibility For Financial Reports (2 of 3)
Establish and maintain disclosure controls and procedures that are designed to ensure that material information is made known to the officers
Evaluate the effectiveness of the disclosure controls and procedures in the last 90 days
Present their conclusions about the effectiveness of the disclosure controls and procedures
Section 302 Corporate Responsibility For Financial Reports (3 of 3)
Disclose to the auditors/audit committee any significant deficiencies or material weaknesses in internal controls and any fraud committed by any person with a significant role in internal control
Indicate whether or not there were significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation, including corrective actions for significant deficiencies/material weaknesses
Section 404 Management Assessment of Internal Controls (1 of 2)
Internal Control Report Effective for fiscal years ending on or after
November 15, 2004 for accelerated filers (Originally 6/15/04) July 14, 2005 for non-accelerated filers (Originally 4/15/05)
Signed by the CEO and CFO Must contain statements
Management is responsible for establishing and maintaining adequate internal control over financial reporting
Identify the framework used by management to evaluate the effectiveness of the internal control
Assessment of the effectiveness of the internal controls as of the end of year-end
Auditor has issued an attestation report on management’s assessment
Section 404 Management Assessment of Internal Controls (2 of 2)
ICOFR is not effective if there is one or more material weaknesses in internal control
Management's evaluation should be based on a suitable, recognized internal control framework
Internal Control over Financial Reporting (ICOFR) defined (1 of 2)
ICOFR Is a process Designed by the principal executive and
financial officers and approved by management and the Board of Directors
To provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP and include those policies and procedures that
Internal Control over Financial Reporting (ICOFR) defined (2 of 2)
Pertains to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets
Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statement in accordance with GAAP, and that receipts and expenditures are being made only in accordance with authorizations of management and the directors
Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements
The Auditor
Is required to attest to/report on management’s assessment
In accordance with standards issued/adopted by PCAOB
This evaluation is not a separate engagement “… integrated audit …”
Key Dates
July 30, 2002 - Date of Enactment April 18, 2003 - Interim Auditing Stds issued March 9, 2004 - Auditing Std No 2 issued November 15, 2004 (Originally June 15,
2004) 404 Internal Control assessments due for Accelerated
filers with fiscal years ending on/after July 15, 2005 (Originally April 15,
2005) 404 Internal Control assessments due for Non-
accelerated filers with fiscal years ending on/after
PCAOB Auditing Standards 2004-001 – An Audit of Internal Control Over Financial
Reporting Performed in Conjunction with an Audit of Financial Statements (03/09/04) (Standard No. 2)
2003-026 – Technical Amendments to Interim Standards Rules (12/18/03)
2003-025 – References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Boards (12/18/03)
2003-009 – Compliance with Auditing and Related Professional Practice Standards (6/30/03)
2003-006 – Establishment of Interim Professional Auditing Standards (4/18/03) (Standard No. 1)
2004-002 – Proposed Auditing Standards Conforming Amendments to PCAOB Interim Standards … (Comment period ended 4/23/04)
PCAOB Standards An Audit Of Internal Control Over
Financial Reporting Performed In Conjunction With An Audit Of Financial Statements, Release 2004-001, March 9, 2004
“… integrated audit of the financial statements and internal control over financial reporting.” “… not a … separate engagement.” (p. 8)
“COSO … provides a suitable framework for purposes of management’s assessment.” (p. 9)
“… an auditor impairs his or her independence if the auditor audits his or her own work, including any work on designing or implementing an audit client’s internal control system.” (p. 10,11)
Outline
The Sarbanes-Oxley Act Section 404 - Internal Controls Trends and Developments Questions & Answers
COSO
The Committee of Sponsoring Organizations of the Treadway Commission AICPA, AAA, FEI, IIA, IMA
Is a voluntary private sector organization Formed in 1985 to sponsor the National
Commission on Fraudulent Financial Reporting Dedicated to improving the quality of financial
reporting through business ethics, effective internal controls and corporate governance.
COSO Definition of Internal Control
Internal control is a process, instituted by an entity’s board of directors and management that is designed to provide reasonable assurance regarding the achievement of the following categories of objectives:
Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and
regulations
COSO Internal Control Framework
“Internal control consists of five interrelated components.”
Control Environment Risk Assessment Control Activities Information and Communication Monitoring
-- Internal Control – Integrated Framework – Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission.
COSO Internal Control Framework
Three categories of objectives: Operations Financial reporting Compliance
Relates to the entire enterprise: To all Units To all Activities
COSO Internal Control Components
-- Internal Control – Integrated Framework – Framework, COSO, p. 13.
COSO Internal Control Framework
-- Internal Control – Integrated Framework – Framework, COSO, p. 15.
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
Information & Communicati
on
Monitoring
COSO Internal Control Components
Control Environment factors Organization tone Discipline and structure Integrity, ethics, competence Management philosophy and operating style Assignment of authority & responsibility Work organization Personnel development Attention & direction of Board of Directors
-- Internal Control – Integrated Framework – Framework, COSO, p. 19.
COSO Internal Control Components Control Environment factors
Integrity & ethical values Incentives & temptations Moral Guidance Commitment to Competence Board of Directors & Audit Committee Management Philosophy & Operating Style Organizational Structure Assignment of Authority & Responsibility Human Resources Policies & Practices Evaluation (p. 27/28)
-- Internal Control – Integrated Framework – Framework, COSO, p. 19-28.
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
Information & Communicati
on
Monitoring
COSO Internal Control Components
Risk Assessment Identify relevant risks to achieve objectives Analyze these risks Determine how to manage them
Begins with the Objectives: Operations Objectives
Achieving the entity’s mission Financial Reporting Objectives
Producing reliable financial statements Compliance Objectives
Complying with applicable laws and regulations
-- Internal Control – Integrated Framework – Framework, COSO, p. 29-44.
Risk Assessment
Types of Risk- Control Risk
That error will not be prevented, detected or corrected on a timely basis
Detection Risk Fail to detect material errors
COSO Risk Management
Managing Change Identify & react to routine events Identify & react to dramatic events New or redesigned information systems Rapid growth New technology New lines, products, activities, acquisitions Corporate restructuring Foreign operations
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 24-27.
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
IS Controls
Information & Communicati
on
Monitoring
COSO Internal Control Components Control Activities
Policies and Procedures, which include Approvals Authorizations Verifications Validations Reconciliations Valuations Classification controlsCompleteness controls Timeliness Posting and Summarization Controls Operating performance reviews Information Processing Controls Asset security Segregation of duties
-- Internal Control – Integrated Framework – Framework, COSO, p. 45-53.
COSO Information Systems Controls General Controls
Data Center Operations System Software Access Security Application Development &
Maintenance Application Controls
COBIT provides details-- Internal Control – Integrated Framework – Framework, COSO, p. 45-53.
General Controls for Information Systems
Data Center Operations Backup and recovery procedures Contingency and disaster recovery
planning Job set up and scheduling procedures Operational controls
General Controls for Information Systems
System Software Controls Acquisition, implementation &
maintenance of Operating system software Database management software Telecommunications Security Utility
General Controls for Information Systems
Access Security Access controls Firewalls, Intrusion Detection and
Prevention Systems (IDS/IPS) Password policies
General Controls for Information Systems
Application development (SDLC) Project authorization Approval of development & maintenance Application system development controls Application system maintenance controls Testing
Application Controls for Information Systems
Application level risks Application availability Security Integrity Maintainability
Application Controls for Information Systems
Application level risks Data risks
Completeness Integrity Confidentiality Privacy Accuracy
Application Controls for Information Systems
Application interface integrity: All inputs are received Inputs are valid Outputs are correct Outputs are properly distributed
Application Controls for Information Systems
Transaction processing integrity: Complete Accurate Authorized Valid
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
Information & Communicati
on
Monitoring
COSO Internal Control Components
Information and Communication “Pertinent information must be
identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.”
To the right people in sufficient detail on time
-- Internal Control – Integrated Framework – Framework, COSO, p. 55-63.
COSO Information and Communication
Pertinent Financial & Non-financial Information
Information Quality Appropriate Timely Current Accurate Accessible
-- Internal Control – Integrated Framework – Framework, COSO, p. 55-63.
COSO Information & Communication
Including Effective communication of duties
and control responsibilities Communication of improprieties Management’s receptivity to employee
suggestions Timely appropriate mgmt follow-up Internal and External communications
Customer/supplier communications Outside awareness of ethical standards
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 33-35.
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
Information & Communicati
on
Monitoring
COSO Internal Control Components
Monitoring Ongoing assessment of the system’s
performance over time Accomplished through
Ongoing monitoring Separate evaluations Internal and external audits Combination
-- Internal Control – Integrated Framework – Framework, COSO, p. 65-74.
Internal Controls
Traditional Generic List of Controls Preventive Detective Corrective
Manual Computer
Managerial supervision
Internal Control Examples
Direct management of the business Performance reviews
Executive Functional Activity
Use of performance measures, indicators, benchmarks
Independent performance checks Management of human capital
Internal Controls Examples
Proper procedures for authorizing transactions
Proper execution of transactions & events
Accurate & timely recording of transactions & events
Segregation of duties Authorization Record keeping Custody
Internal Controls Examples
Physical controls over vulnerable Assets and records
Access restrictions to and accountability for resources & records
Appropriate documentation of transactions and internal controls
Information processing controls
COSOReference Manual
Format Objectives O,F,C:
O = Operations F = Financial reporting C = Compliance
Risks Points of Focus for Actions/Control
Activities-- Internal Control – Integrated Framework – Evaluation Tools, COSO.
COSOReference Manual
Basic Value Chain Activities: Inbound Operations Outbound Marketing/Sales Service
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 49.
COSOReference Manual
Infrastructure Support Activities: Administration Human Resources Technology Development Procurement
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 50.
COSOReference Manual Administrative subactivities:
Manage Finance Manage Enterprise Manage External Relations Provide Administrative Services Manage Information Technology Manage Risks Manage Legal Affairs Plan
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 50.
COSOReference Manual
Administrative Controllership subactivities : Process A/P Process A/R Process Funds Process Fixed Assets Analyze and Reconcile Process Benefits & Retirement
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 50.
COSOReference Manual
Administrative Controllership subactivities : Process Payroll Process Tax Compliance Process Product Costs Provide Financial & Management
Reporting
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 50.
COSO Summary
Criticized as Too Vague
Contains guidelines Doesn’t contain specific work program
Too Operational Includes operational areas traditionally
outside of auditors examination
IT Controls
ISACA Formerly EDP Auditors Association Founded in 1967
ISACA
Standards Guidelines Procedures Control Objectives Control Practices Audit Guidelines Management Guidelines
COBIT
Control OBjectives for Information and related Technology
ISACA/IT Governance Institute Defines IT Controls in terms of
Planning & Organization Acquisition & Implementation Delivery & Support Monitoring
COBIT
Planning & Organization Define strategic IT plan Define information architecture Determine technology direction Define IT organization & relationships Manage IT investment Communicate mgmt aims & direction
COBIT
Planning & Organization Manage human resources Comply with external requirements Assess risks Manage projects Manage quality
COBIT
Acquisition & Implementation Identify automated solutions Acquire & maintain application software Acquire & maintain technology
infrastructure Develop & maintain procedures Install & accredit systems Manage changes
COBIT
Delivery & Support Define & manage service levels Manage third-party services Manage performance & capacity Ensure continuous service Ensure systems security Identify & allocate costs
COBIT
Delivery & Support Educate & train users Assist & advise customers Manage configuration Manage problems & incidents Manage data Manage facilities Manage operations
COBIT
Monitoring Monitor the process Assess internal control adequacy Obtain independent assurance Provide for independent audit
Specific IT Control Issues
ERP BPI (Business Process Improvement) B2C & B2B Risk Measurement Intrusion Detection Viruses Email integrity
Third Parties
Evaluate the role third parties play in relation to IT environment, related controls and control objectives
Third party provider controls Third parties subcontractors
SAS 70 Type 2
ISO 17799 (BS7799)
“A comprehensive set of controls comprising best practices in information security”
“Management should set a clear policy direction and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization”
ISO 17799 (BS7799)
Security Policy System Access
Control Computer &
Operations Mgmt System Development
& Maintenance Physical &
Environment Security
Compliance Personnel Security Security
Organization Asset Classification
and Control Business Continuity
Management (BCM)
Mgmt Assessment Process
1. Plan the Assessment
2. Document the ICOFR
3. Evaluate their design & effectiveness
4. Identify, Assess, Correct Deficiencies
5. Prepare written assessment
-- Adapted from the 404 Institute
Mgmt Assessment Process
1. Plan the Assessment Determine Scope:
Controls related to all significant accounts and disclosures in financial statements
An account is considered significant when there is more than a remote likelihood that it could contain misstatements that individually or aggregated with others could have a material affect on the financials. -- Std No. 2
Mgmt Assessment Process
1. Plan the Assessment Identify assessment team Identify significant
Milestones Schedule Resources
Determine documentation approach
Mgmt Assessment Process
1. Plan the Assessment Other Considerations:
Multi-location Use of outside service organizations –
Type II SAS 70 report Evaluation of IT Controls – IT risks
Inaccurately processing accurate data; accurately processing inaccurate data
Unauthorized access; Unauthorized changes to programs/data; Potential loss of data
Mgmt Assessment Process
2. Document ICOFR Document the design of controls over
relevant assertions Document the initiation, authorization,
recording, processing and reporting of significant transactions
Document transaction flow to identify where misstatements might occur
Mgmt Assessment Process
2. Document ICOFR Document controls designed to prevent
or detect fraud Document controls over period-end
processing Document controls to safeguard assets Document the results of management’s
assessment
Mgmt Assessment Process
3. Evaluate the design & effectiveness of ICOFR
Effectively designed controls are expected to prevent and detect errors or fraud
Design = the controls are appropriate to prevent or detect misstatements
Effectiveness = the controls are functioning as designed
Mgmt Assessment Process
3. Evaluate the design & effectiveness of ICOFR
Measuring effectiveness Are the systems functioning as intended? Are the controls operating as designed? Do the people performing the controls
possess the authority and qualifications to effectively perform the controls?
Mgmt Assessment Process
4. Identify, Assess & Correct Deficiencies Deficiency
Deficiencies exist when misstatements are not prevented or detected on a timely basis in the normal course of business
Design deficiency = a necessary control is missing or not properly designed
Operating deficiency = a properly designed control is not operating as designed or the person performing the control is inadequate
Mgmt Assessment Process
4. Identify, Assess, Correct Deficiencies Definitions:
Significant deficiency = control deficiency that adversely affect the initiation, authorization, recording, processing or reporting of reliable financial data
Material deficiency = significant deficiency that results in more than remote likelihood of a material misstatement
Per PCAOB Standard No. 2
Mgmt Assessment Process
5. Prepare report Management acknowledges its
responsibility for establishing and maintaining adequate ICOFR
Identifies the ICOFR framework used Assesses the effectiveness of ICOFR as
of yearend No sample management report was
provided in Standard No. 2.
The Audit Process
1. Plan the engagement
2. Evaluate Management’s Assessment Process
3. Understand company’s ICOFR
4. Test & Evaluate Design and Effectiveness of ICOFR
5. Form an Opinion-- Adapted from the 404 Institute
Auditor Questions
What was examined to determine the existence of errors?
What kinds of errors were found? What happened as a result of finding
these errors? How were the errors resolved? Have personnel been asked to
override the processes or controls?
Internal Control Assessment
Alternative Approaches Financial Statement/Account based Systems based Role of “Best Practice Models”
Account Based Approach
Begin with Financial Statement captions or Trial Balance accounts
Identify Business cycle Client processes Inherent risks
Risk ranking (High, Medium, Low) Identify Internal Controls
Account Based ApproachF/S
Caption Business Cycle Client ProcessInherent
RisksRisk
Ranking
1 Revenue Revenue Cycle Client's sales process Revenue RecognitionAuthorizationBilling AccuracyGAAP compliance
High
2 AccountsReceivable
Treasury Cycle AR processCash application processCollection processDiscrepancy resolution
AccuracyApplicationValuation
High
3 Cash Treasury Cycle Cash ReceiptsCheck Authorization/Writing
AccuracyCompleteness
High
4 OperatingExpenses
Expenditure Cycle - Non-payroll
Vendor controlsProcurement processReceiving processInvoice processingGeneral Ledger recording
AccuracyCompletenessSegregation of duties
Medium
5 AccruedCompensation
Expenditure Cycle - Payroll Employee hiringPersonnel recordsTime and Attendance capturePayroll interface
AccuracyCompleteness
High
Evaluating Risk
In terms of Materiality Process Complexity Susceptibility to Change Accounting History
Evaluating Risk
Materiality Dollar amount Transaction volume Impact on ratios & covenants Individually & collectively
Evaluating Risk
Process Complexity Number of people/departments Number of steps/phases Number of interfaces (“hand-offs”) Number of internal controls Technical nature Skill required vs. Skill available
Evaluating Risk
Susceptibility to Change Process stability Likelihood of future changes
Accounting History Number of errors Number of adjustments
Systems Based Approach
Identify business processes Express them in “flow charts”
Conceptual Physical
Examine transaction life cycle (from cradle-to-grave) Perform tests of transactions
Systems Based Approach
Approaches: “Black Box”
Reconciliation “White Box”
Internal controls
Identify control mechanisms Are they adequate (design)? Are they effective?
Internal Controls
Which Approach is Best?
Top Down Process oriented Systemic approach Requires systems expertise May take longer
Bottom Up Financial Statement/Account oriented Focuses on the pieces before the whole Tends exaggerate the number of assertions
and controls Do not necessarily comprehend the whole
Outline
The Sarbanes-Oxley Act Section 404 - Internal Controls Trends and Developments Questions & Answers
Trends
Internal control review is more expensive than audit, at least the first time
Internal control prep takes extensive resources and budget
Annual reports will increase in size
Trends
Different standards among the Big 4 Different standards within the Big 4 Struggle between auditors and clients
over amount of ICOFR Big 4 cannot consult on ICOFR for clients The “grey line”
May provide some guidance/resources But cannot impair independence
Private Companies Trends
Two standards “Big GAAS” and “Little GAAS”
Other Actions Banking Regulators SEC: Non-Public Broker-Dealers
deferred until after 1/1/05 Cascading
Cascading
Cascading
New York 8 Bills
California AB 664 (Correa) AB 665 (Correa) SB 1262 (Sher) SB 1272
Private Companies Trends
Being acquired by a public company just became more complicated
Going public just became more complicated
Questions to ponder
How will SOX be applied to non-public companies?
What will businesses do differently tomorrow because of SOX?
How will you be involved?
From the IT Perspective
Confusing, contradictory guidance Prone to evaluate IT at the micro level
rather than macro level Corporate level Policy/Procedures Adapted for locations/systems
Fail to involve IT in accounting systems assessments Compartmentalize the controls
From the IT Perspective
Assessors have limited IT expertise Opportunity to enhance IT
Convert a directive into growth IT will require additional resources to
comply
From the IT Perspective
Confusing areas: Business continuity Third parties
Hot Topics: Change management System Development/Maintenance Security
From the IT Perspective
Weak areas: Data integrity
Complicating factors: Multi-location Multi-system
Resources
www.404institute.com www.aaahq.org www.accountingweb.com www.aicpa.org www.coso.org www.fei.org
www.imanet.org www.isaca.org www.pcaobus.org www.sec.gov www.theiia.org
Resource
Internal Control Reporting – Implementing Sarbanes-Oxley Section 404, AICPA paperback
Authoritative Literature COSO IC Integrated Framework Project Planning Documentation of Internal Control Testing of Internal Control
Outline
The Sarbanes-Oxley Act Section 404 - Internal Controls Trends and Developments Questions & Answers
Questions and Answers
Good Luck!